[Bob.]

Quote:

Originally Posted by -KaaL-

Hi Bob,

I have noted those settings and will do that incase of a DDoS Attack.

Also I have CSF installed on my server.
Here are the settings related to Connection Tracking..

Code:

CT_LIMIT  = 200
CT_INTERVAL = 30
CT_EMAIL_ALERT = 1
CT_PERMANENT = 0
CT_BLOCK_TIME = 1800
CT_SKIP_TIME_WAIT = 0
CT_STATES =
CT_PORTS =

During an attack you'll want to lower CT_LIMIT down to around 100, but if you set it to anything lower than that you'll probably begin to see false positives. You can use the "netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr" command to help you fine tune the limit. I would also enable permanent bans by setting CT_PERMANENT to 1 and set CT_STATES to ESTABLISHED,NEW. If you wanted to 'loosen' things a bit when your not under attack I would raise CT_LIMIT back up to 200 and disable permanent banning (so if a legitimate user does happen to get picked off, they do not have to contact you to get the block lifted) - once again reducing the risk of false positives.